Coincidentally, we talked about this on IRC yesterday. There is no API for firewall rules yet. Once we (hopefully) get interfaces into an API for 17.1, we can possibly dream of a firewall rules API for 17.7. It depends on workload and external help.

The safest bet for local automation right now is to adapt the actual firewall_rules_edit.php as a custom GET script, embed a security token into that script -- let's name it rules_patch.php -- and move it to /usr/local/www to be called from an external location for the actual APIsh invoke... Something like this: